5/14/2015 6:33:16 AM 5864_ER_WHITE.1 Simple use of UML for assisting in the creation of Common Criteria evaluation inputs Karen Sheh CSC Australia.

Slides:



Advertisements
Similar presentations
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
Advertisements

Systems Analysis and Design in a Changing World
Chapter 8: Evaluating Alternatives for Requirements, Environment, and Implementation.
1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
Software Effort Estimation based on Use Case Points Chandrika Seenappa 30 th March 2015 Professor: Hossein Saiedian.
Software Testing and Quality Assurance
Requirements Specification
Introduction to Software Architecture. What is Software Architecture?  It is the body of methods and techniques that help us to manage the complexities.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
1 Methodology for customer relationship management Author : Ricardo Chalmeta From : The Journal of Systems and Software (2006) Report : Yu-Juan Chiu Date.
Software Engineering CSE470: Requirements Analysis 1 Requirements Analysis Defining the WHAT.
Modified from Sommerville’s originalsSoftware Engineering, 7th edition. Chapter 8 Slide 1 System models.
8 Systems Analysis and Design in a Changing World, Fifth Edition.
Software engineering Olli Alm Lecture 2: requirements, modelling & representation.
System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan System Engineering Hierarchy - System Modeling - Information.
University of Jyväskylä – Department of Mathematical Information Technology Computer Science Teacher Education ICNEE 2004 Topic Case Driven Approach for.
David Harrison Senior Consultant, Popkin Software 22 April 2004
Course Instructor: Aisha Azeem
What is Business Analysis Planning & Monitoring?
Model-Driven User Requirements Specification using SysML Authors: Michel dos Santos Soares, Jos Vrancken Source: Journal of Software(JSW), Vol. 3, No.
S/W Project Management
UML - Development Process 1 Software Development Process Using UML (2)
TESTING.
Software Engineering 2003 Jyrki Nummenmaa 1 REQUIREMENT SPECIFICATION Today: Requirements Specification Requirements tell us what the system should.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 6 Slide 1 Chapter 6 Requirements Engineering Process.
SE-02 SOFTWARE ENGINEERING LECTURE 3 Today: Requirements Analysis Requirements tell us what the system should do - not how it should do it. Requirements.
المحاضرة الثالثة. Software Requirements Topics covered Functional and non-functional requirements User requirements System requirements Interface specification.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 6 Slide 1 Requirements Engineering Processes l Processes used to discover, analyse and.
T. Dawson, TASC 9/11/13 Use of a Technical Reference in NASA IV&V.
Feasibility Study.
BMAN Integrative Team Project Week 2 Professor Linda A Macaulay.
Software Requirements Engineering CSE 305 Lecture-2.
Software Engineering – University of Tampere, CS DepartmentJyrki Nummenmaa REQUIREMENT SPECIFICATION Today: Requirements Specification.
OBJECT ORIENTED SYSTEM ANALYSIS AND DESIGN. COURSE OUTLINE The world of the Information Systems Analyst Approaches to System Development The Analyst as.
Programming in Java Unit 3. Learning outcome:  LO2:Be able to design Java solutions  LO3:Be able to implement Java solutions Assessment criteria: 
May05-36: Boone Cemetery Management Software Boone Cemetery Management Software May05-36 Greg Thede, Director, Boone Parks Department Dr. Kothari Joseph.
Requirements Documentation CSCI 5801: Software Engineering.
Approaching a Problem Where do we start? How do we proceed?
System Context and Domain Analysis Abbas Rasoolzadegan.
UML Class Diagram Tutorial by Florin Zidaru. Outline 1. UML Class Diagram. What is it? Why do we need it? 2. Tutorial Description and Presentation. 3.
Software Engineering 1 Object-oriented Analysis and Design Applying UML and Patterns An Introduction to Object-oriented Analysis and Design and Iterative.
Systems Development Life Cycle
OHTO -01 SOFTWARE ENGINEERING LECTURE 3 Today: Requirements Analysis Requirements tell us what the system should do - not how it should do it.
Software Engineering 2004 Jyrki Nummenmaa 1 BACKGROUND There is no way to generally test programs exhaustively (that is, going through all execution.
Computer Science 340 Software Design & Testing Software Architecture.
4+1 View Model of Software Architecture
Design and implementation Chapter 7 – Lecture 1. Design and implementation Software design and implementation is the stage in the software engineering.
Dillon: CSE470: ANALYSIS1 Requirements l Specify functionality »model objects and resources »model behavior l Specify data interfaces »type, quantity,
© 2017 by McGraw-Hill Education. This proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner.
Advanced Higher Computing Science
Systems Analysis and Design in a Changing World, Fifth Edition
Architecture Arnon Rotem-Gal-Oz Product Line Architect
SNS College of Engineering Coimbatore
Business System Development
Systems Analysis – ITEC 3155 Evaluating Alternatives for Requirements, Environment, and Implementation.
Abstract descriptions of systems whose requirements are being analysed
Chapter 4 Systems Planning and Selection
THE BUSINESS ANALYSIS PROCESS MODEL
BIS 221 RANK Education for Service-- bis221rank.com.
CPMGT 300 Teaching Effectively-- snaptutorial.com.
Introduction to Projects
Introduction To software engineering
Sarbanes-Oxley Act (404) An IT Viewpoint
واسط كاربري هوشمند Intelligent User Interface
BIS 221 Great Wisdom/tutorialrank.com. BIS 221 All Assignments For more course tutorials visit BIS 221 Week 2 Assignment Business.
Department of Computer Science Abdul Wali Khan University Mardan
Software Design Methodologies and Testing
Computers.
An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager
Joint Application Development (JAD)
Presentation transcript:

5/14/2015 6:33:16 AM 5864_ER_WHITE.1 Simple use of UML for assisting in the creation of Common Criteria evaluation inputs Karen Sheh CSC Australia

5/14/2015 6:33:16 AM 5864_ER_WHITE. 2 Karen Sheh Performs Common Criteria Evaluations within CSC Australia’s Evaluation Facility Risk assessments and plans within CSC Australia’s Global Security Solutions team for Australia’s Department of Immigration and Citizenship

5/14/2015 6:33:16 AM 5864_ER_WHITE. 3 Outline Part 1 –Introduction –Related Work Part 2 –Ideas for deriving documentation from simple UML Part 3 –Summary –The Way Forward –Questions and Comments

5/14/2015 6:33:16 AM 5864_ER_WHITE.4 Part 1 Simple use of UML for assisting in the creation of Common Criteria evaluation inputs

5/14/2015 6:33:16 AM 5864_ER_WHITE. 5 Background The Common Criteria (CC) is an internationally recognised standard, with many countries requiring or recommending CC evaluated products be used by their Government Departments. However, this standard is often confusing and complex and the production of inputs required for evaluation can be difficult. A quick online search of university Computing Degrees show that many are teaching Software Engineering tools including basic UML. Part 1

5/14/2015 6:33:16 AM 5864_ER_WHITE. 6 Background (cont.) Looking at assisting in the production of the Security Target (ST), Functional Specification (FSP) and High level design (HLD) documentation. Looking at using Use Case diagrams, Class diagrams and Activity diagrams to assist. Looking at these diagrams from a Common Criteria perspective rather than a Software Engineering perspective. Part 1

5/14/2015 6:33:16 AM 5864_ER_WHITE. 7 Example of Basic UML There are 13 UML diagrams in the specification grouped into three groups (taken from the OMG website on UML). –Structure Diagrams - describes the structure of a system. –Behaviour Diagrams - describes the behaviour of a system. –Interaction Diagrams – describes the interactions within a system. Show examples with three diagrams that are commonly taught at University and online tutorials for use in CC. Part 1

5/14/2015 6:33:16 AM 5864_ER_WHITE. 8 Example of Basic UML Use Case Diagram Part 1

5/14/2015 6:33:16 AM 5864_ER_WHITE. 9 Example of Basic UML Class Diagram Part 1

5/14/2015 6:33:16 AM 5864_ER_WHITE. 10 Example of Basic UML Activity Diagram Part 1

5/14/2015 6:33:16 AM 5864_ER_WHITE. 11 Related Work Ware, Bowles and Eastman describe the integration of CC threats into the UML Actors of Use Cases. –Actor profiles –Threats selected from a pre-defined set that match the actor’s associations UMLSec extension to the UML standard. Mellado, Fernández-Medina and Piattini analysed eight proposed methods of integrating CC in Software Development. –concludes that information security “is usually only tackled from a technical viewpoint at the implementation stage”. However these usually require more specific knowledge that a basic understanding of UML. Part 1 Ware, Bowles and Eastman, ‘Security-Critical System Development with Extended Use Cases’, 10 th Asian-Pacific Software Engineering Conference, Chiang Mai, Thailand, Mellado, Fernández-Medina and Piattini, ‘A Comparison of the Common Criteria with Proposals of Information Systems Security Requirements’, Proceedings of the IEEE Conference on Availability, Reliability and Security (ARES’06), Austria, 2006.

5/14/2015 6:33:16 AM 5864_ER_WHITE.12 Part 2 Simple use of UML for assisting in the creation of Common Criteria evaluation inputs

5/14/2015 6:33:16 AM 5864_ER_WHITE. 13 Common CC difficulties I have experienced These are difficulties that may be helped by the use of UML in the creation of the documents or even within the documents. –Inconsistent or difficult to understand scope of the Target of Evaluation (TOE) in the ST. –Inconsistent or difficult to understand interactions within the TOE. –Missing interfaces or components that have been left off in worded descriptions. –Multiple interpretations of worded descriptions within the ST, FSP, HLD as to functionality, relationships and scope. Part 2

5/14/2015 6:33:16 AM 5864_ER_WHITE. 14 Use Case diagrams can be used to define scope of functionality of the TOE (ASE_INT.1.6C to ASE_INT.1.8C). –Actors being external entities and Use Cases being in scope of the TOE. Use Cases can also be used to help identify the security problem the TOE addresses (ASE_SPD), what Security Objectives of the TOE (ASE_OBJ) and also the Security Functional Requirements (ASE_REQ). Part 2 Use of UML in the ST

5/14/2015 6:33:16 AM 5864_ER_WHITE. 15 Identifying scope and possible security problems Part 2 Example

5/14/2015 6:33:16 AM 5864_ER_WHITE. 16 The Use Cases can be useful in helping to determine external interfaces. Activity diagrams can be useful for identifying the behaviour of the TOE at each external interface (ADV_FSP.2-5). Activity Diagrams and Use Cases can be used as evidence to show that the TOE Security Functions (TSFs) derived in the ST are completely represented (ADV_FSP.2-6, ADV_FSP.2-7). Part 2 Use of UML in the FSP

5/14/2015 6:33:16 AM 5864_ER_WHITE. 17 Example Identifying external interfaces Part 2

5/14/2015 6:33:16 AM 5864_ER_WHITE. 18 Use of UML in the High Level Design HLD can use Class diagrams/cards or a derivative of them as they can map nicely to the subsystems. These classes can be directly derived from the Use Case breakdown from the FSP or from Interaction or Activity diagrams. They can also be hardware components as these can also be modelled in UML as classes. Part 2

5/14/2015 6:33:16 AM 5864_ER_WHITE. 19 Example Identifying subsystems Part 2

5/14/2015 6:33:16 AM 5864_ER_WHITE.20 Part 3 Simple use of UML for assisting in the creation of Common Criteria evaluation inputs

5/14/2015 6:33:16 AM 5864_ER_WHITE. 21 CC can be complex and difficult to understand for developers and companies considering evaluation. The use of Software Engineering tools that developers already use to assist in creating CC documents will increase the accessibility of CC. The use of already created Software Engineering artifacts such as UML diagrams will allow CC documents to be more accurate which in turn will reduce costs and time needed for evaluation. Part 3 Summary

5/14/2015 6:33:16 AM 5864_ER_WHITE. 22 The Way Forward Use of UML or other Software Engineering tools to automate the production of CC documents or templates. Investigation of how other Software Engineering methods can be used in assisting in the creation of CC documents. Encourage Software Engineers to see how Software Engineering tools can be mapped to CC requirements as a method for improving IT Security. Part 3

5/14/2015 6:33:16 AM 5864_ER_WHITE. 23 Information on CSC Evaluations and Pre-Evaluation Consultation Services – Karen Sheh– Thank you! Part 3 Questions or comments?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.